Finishing Configuration of Access Server

Now that you’ve installed Access Server, this documentation outlines next steps.

Find the URLs for your web server

When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.

+++++++++++++++++++++++++++++++++++++++++++++++ 
Access Server 2.11.3 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log
 
Access Server Web UIs are available here:
Admin UI: https://192.168.102.130:943/admin
Client UI: https://192.168.102.130.943 
Login as "openvpn" with "RR4ImyhwbFFq" to continue
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++

Admin UI

The Admin UI is the web-based GUI for managing your Access Server. We also refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/.

When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts.

Client UI

The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example.

Note: The web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out.

First time logging into Admin Web UI

Administrative User

For the first use of the Admin Web UI, sign in with the openvpn user created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.

On Access Server versions older than 2.9, you must manually set the password for the openvpn user with this command: passwd openvpn

You can now open a browser and enter your Admin Web UI address.

Invalid Certificate

Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.

By clicking through to continue to the site, you can continue to the web interface. At the login screen, you can enter the username and password for your ‘openvpn’ user.

invalid-cert

Activating a subscription

The first time you sign in to the Admin Web UI, Access Server displays the Activation page so you can easily get an activation key:

  1. Click Get Activation Key.
  2. This takes you to the Access Server portal; sign in with your openvpn.com account if needed.
  3. Click Use Subscriptions (Recommended).
  4. Click Proceed With Subscription.
  5. Select the number of concurrent connections for your subscription (when you select Free, you get two connections).
  6. For a free subscription, click Create.
  7. For five or more connections, select your billing frequency and Proceed to Payment.
  8. Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.
  9. Return to your Admin Web UI.
  10. Paste the subscription key in the text field.
  11. Click Activate.

Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on the Access Server portal by clicking Access Server Information.

Note: Refer to Which licensing models are available for Access Server for details about the difference between a subscription and a fixed license.

Setting up a hostname

We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.

Refer to Setting up your Access Server Hostname and follow the steps there.

Setting up authentication

Authentication with Local, RADIUS, LDAP, SAML, or PAM

Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.

The default is local authentication where Access Server manages your credentials. Under User Management, you can add users and define their permissions at the user, group, and global level. You can also integrate with an external authentication system using PAM, RADIUS, LDAP, or SAML. For example, you can set up a connection to an LDAP connector to integrate with Windows Server Active Directory.

Access Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer to Access Server’s User Authentication System for more information.

First time connecting to the VPN server

With your VPN server configured, your users can get connected.

Download a bundled VPN client to connect:

A user follows these steps to download a pre-configured OpenVPN Connect app:

  1. Navigate to the Client Web UI in a browser.
  2. Sign in with their user credentials.
  3. Choose the OpenVPN Connect app for their operating system.
  4. After it downloads, install the software.
  5. Open the app and click on the connection profile.
  6. The user is connected to your Access Server.

Download a connection profile:

A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:

  1. Navigate to the Client Web UI in a browser.
  2. Sign in with their user credentials.
  3. Click on the link under Available Connection Profiles.
  4. After the connection profile downloads, upload that file to a VPN client.

Other ways to connect users:

Alternatively, as an admin, you can use these ways to connect your users:

  1. Have your users install OpenVPN Connect from our website, then download a connection profile from the Admin Web UI and distribute it to users.
  2. Create an OpenVPN Connect installer from the Access Server command-line interface and distribute it to users.

Test IP address for connection

Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.

For more information about configuring specific functions, you might find some of these links helpful:

Admin Web UI User Manual Resource Center Hardening Security